Michael G. Trachtman
Powell Trachtman Logan Carrle & Lombardo, P.C.
MEA General Counsel
First, the bad news… There is an evolving, insidious breed of cyberattacks that pose risks beyond the damage awards, regulatory agency fines, injunctions, and criminal sanctions I wrote about in the March 2017 Workplace Advisor. These are cyberattacks that are existential in nature – they can severely compromise or, often, put a company entirely out of business, virtually overnight.
Now, the (sort of) good news… There are strategies that, while not perfect, can be of very significant help. The proper design and implementation of these strategies will require both legal counsel and technical expertise — some law firms, like my firm, partner with cybersecurity consultants to provide a “one-stop” resource. The failure to utilize these strategies involves a gamble most businesses cannot afford to take.
What Are the Sources of the Risks?
The threats come from the inside and the outside.
On the inside, employees are a constant source of risk. Sometimes the motive is purely financial – competitors will hire employees who can deliver valuable data, and the Internet “black market” pays cash for login, credit card, banking, intellectual property, social security numbers and other sensitive information. Employee ignorance and negligence is a major issue as well — employees fall prey to phishing schemes, they are careless with their selection and protection of passwords, and they lose laptops and thumbdrives. And, sometimes, employees vandalize systems and data out of pure revenge for perceived mistreatment.
On the outside, “phishing” schemes – emails that induce a computer user to click on an attachment, a link or a URL – are extremely dangerous. The “phishers” have become increasingly sophisticated — in April, a Chinese researcher a new “almost impossible to detect” phishing scheme. In addition, vendors and consultants (or unscrupulous individuals who work for them) are often provided with access to networks and databases, and they, too, are a common source of data breaches. And, as has well-publicized in recent news reports, hackers from all over the world are unleashing cyberattacks that install “ransomware” on a company’s unprotected computer systems – all of the company’s data is encrypted unless and until the company pays a ransom.
And so on …
Seven “Best Practices” Recommendations
Many companies rely on anti-virus software, firewalls and data back-ups, all of which remain foundational elements of any cybersecurity program, but they are not nearly enough: the “bad guys” have long ago devised (and in some cases published on the Internet) work-arounds that limit and, often, obliterate the effectiveness of these measures.
In the current environment, a cyberattack prevention and damage minimization plan must include at least the following.
1. Know and monitor your employees, vendors and consultants.
Background check employees, vendors and consultants who will have access to sensitive information, and continue to do so periodically during their relationship with your business. Look for signs of unreliability, financial instability or suspicious behavior. Monitor employee emails and other computer activity on the company’s network.
2. Your data: know where it is, restrict access, monitor accesses, and control how it is transmitted, received and stored.
Know and control exactly where your most valuable information is and restrict who can access what data on a need-to-know basis, limited to the minimum necessary to perform job responsibilities. Modify access rights when job responsibilities change, and terminate access rights as soon as (or just before) the employment relationship ends. Implement encryption and other protections in respect to data that comes in and data that goes out. Periodically analyze data records to verify that your data is being handled as planned, and that protective measures have not been circumvented or breached.
Counsel and cybersecurity experts can provide a roadmap. The Cybersecurity Framework produced by the National Institute of Standards and Technology (NIST) provides detailed guidance.
3. Policies, procedures, training and monitoring.
The majoity of data breaches start with negligent handling of data, or phishing emails that induce the recipient to open an attachment, to click on a link or URL, or to disclose passwords or login information. Counsel, working with cybersecurity experts, can develop enforceable, legally compliant and effective policies and procedures to increase the security of networks and data against these risks. Counsel can also develop procedures that will assist in the utilization of federal and state “trade secret” and intellectual property laws. Additional, customized training should be provided to employees authorized to access particularly sensitive information.
It is useless to develop policies and procedures without providing training on the meaning and implementation of those policies and procedures. From the mail room to the board room, training and cybersecurity awareness programs at onboarding and periodically thereafter are mandatory. Monitor the effectiveness of the training thereafter – for example, many companies will send fake phishing emails to employees to see how many take the bait.
4. Utilize employment, vendor and consultant agreements.
Certain contractual provisions can provide effective legal remedies in the event of a data breach and, just as important, can transfer the financial risks of a data breach to the party who is best able to control or prevent the problem. Do not underestimate the importance of using the most effective agreement provisions.
5. Implement an effective password strategy.
Require that employees use strong passwords that contain at least eight characters with a mix of letters, numbers, symbols, and cases, require new passwords at least quarterly, and develop a policy on sharing passwords with IT personnel. Many cybersecurity consultants recommend that “two-factor authentication” passwords be uniformly implemented in certain businesses.
6. Prepare For A Security Incident.
There are laws that dictate certain responses in the event of a disclosure of personal customer or employee information, such as social security numbers, credit card information, health benefit records, and W-2 forms. The penalties for non-compliance can be severe.
Apart from legal compliance, each company needs its own plan, depending on the nature of its infrastructure and organization, for purposes of responding to and minimizing the effect of a cybersecurity issue. For example, the U.S. Department of Justice Cybersecurity Unit has published a useful guidance, “Best Practices for Victim Response and Reporting of Cyber Incidents”. Do not allow yourself to be in a position where you must ad lib your way through the aftermath of a cyberattack.
7. Consider insurance.
Cybersecurity insurance is an evolving market, and depending on individual circumstances, different types and levels of insurance will be appropriate. A qualified insurance agent or broker who understands the options can be invaluable.
The upshot of the current reality is that cybersecurity issues involve difficult, high-stakes policy decisions and top-notch legal and expert assistance. Let us know if we can help.
Michael G. Trachtman is MEA’s general counsel and the President of Powell Trachtman Logan Carrle & Lombardo P.C., a 30+ attorney King of Prussia-based law firm that has represented businesses and business people for over twenty-five years. He can be contacted at firstname.lastname@example.org. See www.powelltrachtman.com for more information.